summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Cowart <ccowart@timesinks.net>2025-11-15 22:39:53 -0800
committerChris Cowart <ccowart@timesinks.net>2025-11-21 18:22:43 -0800
commit090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b (patch)
treea96d8dcad9a2cfbeb2a2e9ea098fc7aa65da3aee
parentcae2717e9a608a1706e9dc134f7d560453ec4bfe (diff)
downloadvyos-1x-090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b.tar.gz
vyos-1x-090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b.zip
T8027: vpn: adding config for swanctl "send-cert always"
This setting seems to be required for various Apple clients to connect to the IKEv2 IPSec VPN.
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j23
-rw-r--r--interface-definitions/vpn_ipsec.xml.in6
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py21
3 files changed, 26 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index c79f292b4..d06b3d74b 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -8,6 +8,9 @@
proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
send_certreq = no
+{% if rw_conf.authentication.always_send_cert is vyos_defined %}
+ send_cert = always
+{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 517bf89fd..7d901402d 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -870,6 +870,12 @@
<defaultValue>eap-mschapv2</defaultValue>
</leafNode>
#include <include/auth-local-users.xml.i>
+ <leafNode name="always-send-cert">
+ <properties>
+ <help>Always send local certificate for this connection</help>
+ <valueless/>
+ </properties>
+ </leafNode>
<leafNode name="server-mode">
<properties>
<help>Server authentication mode</help>
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 4cb23fbc0..637e854a2 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -1151,10 +1151,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_lines:
self.assertIn(line, swanctl_conf)
- swanctl_unexpected_lines = [
- f'auth = eap-',
- f'eap_id'
- ]
+ swanctl_unexpected_lines = [f'auth = eap-', f'eap_id', f'send_cert =']
for unexpected_line in swanctl_unexpected_lines:
self.assertNotIn(unexpected_line, swanctl_conf)
@@ -1171,6 +1168,22 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem')))
self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+ # Add the always-send-cert config and observe the change
+ self.cli_set(
+ base_path
+ + [
+ 'remote-access',
+ 'connection',
+ conn_name,
+ 'authentication',
+ 'always-send-cert',
+ ]
+ )
+ self.cli_commit()
+
+ swanctl_conf = read_file(swanctl_file)
+ self.assertIn(f'send_cert = always', swanctl_conf)
+
self.tearDownPKI()
def test_remote_access_dhcp_fail_handling(self):